EventHunter: Dynamic Clustering and Ranking of Security Events from Hacker Forum Discussions

TL;DR

EventHunter is an unsupervised framework that uses Transformer embeddings and contrastive learning to automatically detect, cluster, and prioritize security events from hacker forum discussions, aiding proactive cybersecurity responses.

Contribution

This work introduces a novel unsupervised approach combining Transformer-based embeddings and a ranking mechanism to extract and prioritize security events from unstructured hacker forum data.

Findings

Effectively clusters related security discussions without predefined keywords

Prioritizes high-impact threats based on multiple metrics

Reduces noise and surfaces actionable cybersecurity intelligence

Abstract

Hacker forums provide critical early warning signals for emerging cybersecurity threats, but extracting actionable intelligence from their unstructured and noisy content remains a significant challenge. This paper presents an unsupervised framework that automatically detects, clusters, and prioritizes security events discussed across hacker forum posts. Our approach leverages Transformer-based embeddings fine-tuned with contrastive learning to group related discussions into distinct security event clusters, identifying incidents like zero-day disclosures or malware releases without relying on predefined keywords. The framework incorporates a daily ranking mechanism that prioritizes identified events using quantifiable metrics reflecting timeliness, source credibility, information completeness, and relevance. Experimental evaluation on real-world hacker forum data demonstrates that our method effectively reduces noise and surfaces high-priority threats, enabling security analysts to mount proactive responses. By transforming disparate hacker forum discussions into structured, actionable intelligence, our work addresses fundamental challenges in automated threat detection and analysis.